rAcKShen

That is easy to explain: When you go through the wizard, you cannot deny it, it just happens. So it happened to me on the first time. I am sure that happens everyone who is not on the stable release but resets his device. Back then, I am not sure, I understood the downgrade is related to the wizard. First, I thought, the wizard is just re-installing some components as it always does. So I trapped into this a second time later. And then, I trapped into this a third time because it is so unusual and I forgot about it. So, my experience is actually the problem here: My expectation is still that this should not happen. So I placed a post-it on the device. Perhaps that helps next time. There is a second issue: When the device starts up, you cannot deny the wizard, the first step is always within the wizard. At least the wording is giving that impression. Only, only, only on page two of the wizard (not earlier, not later) I am able to exit the wizard. I had to find that button. I missed that several times, too. There is a third issue: 3.9 Alpha adds a new connection setup (DS-Lite with AFTR), which is needed here for one of my ISPs. So, I was curious to test the wizard how it is handled there. And then, at the end, I get downgraded to a version which does not give me access to that ISP. So, actually, I am wrong in my previous prost; I could test the wizard. Just get a bit of additional work afterwards. If Keenetic wants to force an update, OK. But then please on the branch were I left. Even better: If I am on a non-stable (faster) branch, ask whether I want to continue on that branch, or whether I want to go for one of the slower branches.

When I enable the guest segment and connect a (W)LAN client, I do not see any IPv6 (Router Advertisements). Therefore, my client does not create an IPv6 address. Therefore, no IPv6 connectivity. Is that expected? The IPv6 prefix of my Internet Service Provider is large enough for several segments.

OK. That is bad because – with my workaround above – several things are not set as expected by Keenetic support. That again can be workedaround with the trick of Ahmed. Thanks for that! However, I want to test the wizard actually, with the latest release (because of the new DS-Lite support). I cannot do that. If possible, that choice should be reconsidered. Never saw a downgrade with other vendors because of resetting and using a wizard. Was very unexpected. So unexpected, I forgot and got downgraded several times by now. 🤪

For Dynamic DNS, I use No-IP. KeeneticOS 3.9 Alpha 4 sends the IP updates (and my password) in clear text because it uses HTTP. Is there a reason not to use HTTPs as offered by No-IP?

Using the latest 3.9 alpha 4, PPPoE, IPv6 component installed and enabled … IPv6 works great on my clients. However, in Apple macOS, I do not see a DNS server via IPv6, just IPv4. Therefore, I opened Wireshark and filtered for icmpv6.type == 134 || dhcpv6. The router advertisement (RA) has the flag Other set. Therefore, LAN clients ask the (stateless) DHCPv6 server for the DNSv6 server. And that server does not answer. Is the RA simply wrong and there should be not DHCPv6 server. Or is the DHCPv6 server simply not running? Yes, I know, from the user experience, this is no issue because I can do IPv6 (DNS-AAAA) even via the existing DNSv4. However, my clients search for that DHCPv6 server all day long. And this is not the way it was designed. Either the Other flag is set incorrectly. Or a DHCPv6 server should answer.

OK. Then, I do not understand it. Exactly, every 24 hours, another, a different IP is connected. I am not so much about that daily phoning home, I am more confused by that several ones after the first start. I see five TLS connections, some to the same, some to different IPs (of ‘ndss.keenetic.ndmsystems.com’). Any chance to look into those connections? I redirected the DNS, but you use HTTPs with Certificate Pinning. The used trust anchor ‘4096-KNT-root-ca.crt’ can be found in the file system, in ‘/usr/share/sign-ca-certificates‘. However, I am not able to simply replace the file content because it is on a read-only partition.

Yes, I know. By the way, is there an easy way to look into what is exchanged exactly? Looking at Wireshark and the timings, it looks like failing over because it tries several different IPs in a row (and I blocked none of them, the TLS handshake succeeds and it looks like exchanging data successfully). Might be a bug but cannot say for sure.

I am in the channel Dev and had 3.8 Alpha 8 installed. When I went for a Reset via the Web interface, the initial Wizard pops up again. When I go through the wizard, I was forced to install the latest update, on the channel Main: 3.7.4. Is this intended? I use the following path right now which feels like a workaround: When the wizard pops up, I hit the button ‘Run Wizard’. Then, I get a page with the modes. There is a button ‘Exit Wizard’. When I go for that, I am not forced to downgrade. However, many settings (like the mode and the recommended systems components are not set then).

This is a small how-to silence a Keenetic in the mode Extender which can be used as a ‘Wi-Fi Bridge’, sometimes called ‘Wi-Fi Access Point’. This is useful, when you have no Keenetic in the mode Router around and you want a silent Access Point without NAT or Firewall, just doing Wi-Fi. Most of the steps are based on this help article. However, I had to do more: reset your Keenetic (button, Web, or CLI) when the Wizard in the Web interface offers the button ‘Exit Wizard’ go for that go for the command-line interface (for example, via the Web interface) and enter: interface Home lldp disable no ntp server ntp server 192.168.178.1 ntp sync-period 40320 no service internet-checker components remove cloudcontrol components remove sstp-server (on default, was not installed) components remove webdav components remove ndns components remove ip6 (on default, was not installed) system configuration save components commit Keenetic does not learn the NTP server from DHCP. Therefore, I changed it manually to the IP address of my local main router. Double-check your IP address and that yours offers an NTP service. Furthermore, KeeneticOS 3.8 does not support IPv6 in mode Extender, yet. If you want to keep the system component IPv6 for future, then today, you have to go for: no ipv6 subnet Default system configuration save The bad news: Although I do not use any service of Keenetic anymore, I found no way to disable the ‘authentication and licensing service’ yet. So it is not totally silent and still phones home after start and once daily (connecting to all fail-over IPs learned from DNS, perhaps another software bug). The good news, the system components Package Manager (opkg) and Phone Station (nvox) can be used even in mode Extender. Consequently, I am able still to use my Keenetic for telephony like the Keenetic Linear and many more.

@vst were you able to reproduce the issue via my steps? I re-tried after applying your CLI command (which did the job, thanks, by the way): After that CLI command, when I go through my steps again, that subnet re-appears again. Consequently, I do not think, it is any kind of left-over. If you were able to reproduce the issue, do you create the bug report internally or shall I via E-mail support?

I get that subnet via: reset the system components to Minimal reset all settings exit wizard change Mode to Extender install the system component IPv6 all via the Web interface; 3.8 Beta 1. Re-tried just minutes ago.

OK, attached in hidden mode. Are you not able to reproduce this issue with the steps above? Interesting. By the way, when I go for the file ‘/tmp/run/radvd.conf’, I see interface br0 { AdvSendAdvert on; AdvOtherConfigFlag on; AdvManagedFlag off; AdvDefaultLifetime 0; }; which matches my Router Advertisements, because the Flag Other is set indeed. However, I found no way to control that file, yet. After a restart, it is overwritten. And there seem to be no command on the CLI controlling this. The closest would be ‘no ipv6 subnet mode’. However, that did not work. Is there a trick to change/overwrite that? Something like a ‘ipv6 subnet mode client’ would be the correct approach in future, I think. Especially, because currently, I do not see IPv6 connectivity in Extender mode at all. However, that is another topic.

What mean the two votes ‘need more info’ exactly? First of all: More info from me or someone from Keenetic? Steps to Reproduce: Web interface → (Management) System → Change operating mode → Extender Web interface → (Management) System → Component options → IPv6 → Install Then, on a computer in my home network, I open Wireshark and filter for icmpv6.type == 134. After several minutes, I see IPv6 RA coming from the Keenetic. Nothing inside (no IPv6 Prefix and not DNS) but still medium default route. This is confusing because I would have expected no RA from a non-router.

GL.iNet faces the same issue …

I am in the operating mode Extender. I have installed the component IPv6. While debugging something else in Wireshark, I noticed, that my Keenetic is still sending IPv6 Router Advertisements (RAs; ICMPv6 134). Nothing much included, except the default route at medium preference. Anyway, confusing because in that mode my Keenetic is (should be) no router anymore. Is that intended? Sorry, have not checked 3.7.4 whether that is a 3.8 only thing.

Yes, otherwise I would had no workaround at all. Normally, dialing should work without any Dial Rule. However, to dial a number with 0 at the beginning, I had to create the above dial rule (or alternatively had to use a ‘Line selection code’).

OK. Interesting. And I thought before, I had seen many Wi-Fi configuration interfaces. Then those devices ‘scan’ 36 to 48, only. However, 802.11ac does 80 MHz, so blocking that whole range anyway. Therefore, what is the benefit of ‘scanning’ in that range? Does it select the best control channel (36, 40, 44 or 48), the cleanest? Or Does it go down for 40 MHz if too congested? Sorry, do not get the benefit, yet. If I do no DFS, I can choose the channel statically anyway. Sounds like a legacy behavior for 802.11n interaction which did 40 MHz.

OK. Works now. Submitted. 😀

I tried that first: #10407. However, they did not know about the procedure at all. Therefore, I tried several possible E-mail addresses. And then tried here. Not sure how to proceed.

Found two security issues. Not critical software bugs. But one scores high. Did not calculate the other. And they are not in the building blocks used by Keenetic but in the configuration. So, for me, nothing to report upstream to any open-source project. I have report to Keenetic directly. Fixing them, I do not think they are very complex, should be not more than one line of code. So, worth to be reported. Many companies go for FIRST and make it easy for security researchers by providing a secure communication channel/contact/E-mail (via the provided public OpenPGP key). Does anyone know how Keenetic likes it? OpenPGP or S/MIME? Do I go for my local country support? Or a global E-mail address (tried security@ and psirt@ but failed)? Or do we go for private messages via this board (would be OK for me)? Or do we go via GitHub (no policy posted)?

Great, in my case, ‘recommended’ was my factory default. I knew those commands from the command-line documentation. However, I thought ‘minimal’ is the absolute minimum. A misunderstanding. Furthermore, I thought ‘recommended’ is some crazy big super-set. However, at least in my case, ‘recommended’ was the state when I started with my Keenetic. And ‘minimal’ is just a bit less, four components: Dynamic DNS (DDNS) Client, Media Server (DLNA), DNS-over-HTTPS proxy, and DNS-over-TLS proxy. Although the part about the languages a bit confusing: I am allowed to install not more than three languages but when I click on that ‘minimal’ or ‘recommended’ button in the Web interface (or go for our commands), I get all languages (back). Anyway, my Keenetic is now as near to factory again as possible. 😀

I am in Germany, and we use a zero to dial out of the city and two zeros to dial out of country. I am using not a DECT base but a recent analogue phone (MFW). Zero is not special on that phone, double-checked. I lift the handle, get the dial tone, dial my number … but my Keenetic is dialing just ‘0’. I hear that. And see that in the call history. Triple-checked via Wireshark. In the dial-rule syntax – Синтаксис правил набора – I saw that special ‘T’. However, either I do not understand its meaning or that did not help. Then, I went for the dial rule (00>+)x.|(0>+49)x.|(>+496181)x. Works. As a side-effect all my calls are international now, which is no problem with my telephony carrier. The ‘6181’ is for those living in Hanau and must be replaced for your city. However, I do not think that is the right approach. Is it?

OK. If anyone comes by and still has the default set of components—of a Keenetic Carrier (EU)—please, share your ‘components’ via show version.

Out of curiosity: What is that device doing then Does it look for the best control channel in the range 36-48? Or Does it violate specs and considers a broader range? Or Is this something special/normal for a Wi-Fi device in Turkey?

After a reset via the Web interface (or a change of the operating mode from Router to Extender), the components are not reset. Is there any trick to reset the components as well, except going for a Recovery?